Author Topic: export to pfx?  (Read 20889 times)

Offline leemidgley

  • Newbie
  • *
  • Posts: 3
export to pfx?
« on: May 27, 2011, 10:36:48 AM »
Hi,

I have renewed the code sign certificate and i can't export the pfx from within IE certificates - the options are diabled on IE8.

Can only do top 3
DER, Base-64 & .P7B

This has been an ongoing issue since I renewed - gone through the process 3 times now. (pvk and spc files don't seem to match when using signcode.exe)

Lee.

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 654
    • Comodo Technical Support
Re: export to pfx?
« Reply #1 on: May 27, 2011, 10:50:59 AM »
Hi,

I have renewed the code sign certificate and i can't export the pfx from within IE certificates - the options are diabled on IE8.

Can only do top 3
DER, Base-64 & .P7B

This has been an ongoing issue since I renewed - gone through the process 3 times now. (pvk and spc files don't seem to match when using signcode.exe)

Lee.

This typically means that IE doesn't have access to the private key. You may need to import the PVK & SPC file into the Windows Certificate Store using 'imprtpvk.exe' [ https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1344 ]

Worst comes to worst, you may need to re-apply for your code signing certificate if you recently applied so that you can get a PFX file.

Offline leemidgley

  • Newbie
  • *
  • Posts: 3
Re: export to pfx?
« Reply #2 on: May 27, 2011, 02:34:49 PM »
Thanks for the reply but that documentation is now out of date with the latest Windows 7.1 sdk from Microsoft, If I'm not mistaken it is now called: pvk2pfx.exe

but when I try that I get an error:-

pvk2pfx -pvk mykey9.pvk -spc mykey9.spc -pfx mykey9.pfx
ERROR: Password incorrect or PVK file corrupted.
(Error Code = 0x80090005).

This is the same problem when I use signtool with pvk and spc.

So I was wondering wether it would be possible to use the certificate placed in IE when I ordered instead
You know the certifcate comodo put in IE certificates - should that have a private key by default?...  just thinking if it's todo with IE8, do you know people who have successfully gone through this process in IE8?

I've been trying to get this to work now for over 2 months + 2 free renews & countless support emails going over the same things to different support staff over and over again...  I don't think another renew will make any difference, I need to try something different.  ( in 2009 I did this and it worked straight away but then I was on XP sp2 and IE6)

Another question, why don't you simply send the .pfx when ordering, it would make things a lot lot easier. do you keep a record of the pvk password entered on your website?   (I used the same one as I used in 2009)

Thanks,
Lee.

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 654
    • Comodo Technical Support
Re: export to pfx?
« Reply #3 on: May 27, 2011, 07:08:00 PM »
Thanks for the reply but that documentation is now out of date with the latest Windows 7.1 sdk from Microsoft, If I'm not mistaken it is now called: pvk2pfx.exe

but when I try that I get an error:-

pvk2pfx -pvk mykey9.pvk -spc mykey9.spc -pfx mykey9.pfx
ERROR: Password incorrect or PVK file corrupted.
(Error Code = 0x80090005).

This is the same problem when I use signtool with pvk and spc.

You're most likely using the wrong SPC/PVK file combination or the password is wrong.

Quote
So I was wondering wether it would be possible to use the certificate placed in IE when I ordered instead You know the certifcate comodo put in IE certificates

I don't think you can because that appears to have been revoked when you got the replacements.

Quote
- should that have a private key by default?
If you added it via the SPC file, no. If we did, then usually it does.

Quote
just thinking if it's todo with IE8, do you know people who have successfully gone through this process in IE8?

It has nothing to do with IE8 and everything to do with the Microsoft Certificate Enrollment ActiveX control. It's a bit wonky.

Quote
I've been trying to get this to work now for over 2 months + 2 free renews & countless support emails going over the same things to different support staff over and over again...  I don't think another renew will make any difference, I need to try something different.  ( in 2009 I did this and it worked straight away but then I was on XP sp2 and IE6)

Simply put, you need to use Firefox and export it out as a P12/PFX file for use with signtool. It's the one thing that support certificate enrollment really well.  You will need to go through one more re-issue to achieve this. Re-open a ticket with our Support team and get your certificate re-issued, this time using Firefox.

Quote
Another question, why don't you simply send the .pfx when ordering, it would make things a lot lot easier.

While it would make things easier, it compromises the integrity of the certificate since another party now has access to the private key. What happens when you apply for these types of certificates on IE is a little ActiveX control creates a CSR/PrivateKey pair on your local machine and sends us the CSR and we then kick out a certificate after the validation process. As a result, we never see the private key.

Quote
do you keep a record of the pvk password entered on your website?   (I used the same one as I used in 2009)

No, for security reasons we do not.

Offline leemidgley

  • Newbie
  • *
  • Posts: 3
Re: export to pfx?
« Reply #4 on: May 28, 2011, 05:31:38 AM »
ok, thanks... I will try the re-issue and firefox route...  I've noticed every 3 times IE8 hasn't had the private key in the certificate.

just one quick question when I renew with firefox when ordering...  use these settings?

select 'Microsoft Enhanced Cryptographic Provider 1.0'
select 'Key storage: In the file' (.pvk) like I have before?
select 'Key size: 2048'
Exportable 'ticked'
User protected 'unticked'

My usage is to sign exe's with signtool.

Thanks,
Lee.

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 654
    • Comodo Technical Support
Re: export to pfx?
« Reply #5 on: May 28, 2011, 10:44:00 AM »
ok, thanks... I will try the re-issue and firefox route...  I've noticed every 3 times IE8 hasn't had the private key in the certificate.

just one quick question when I renew with firefox when ordering...  use these settings?

select 'Microsoft Enhanced Cryptographic Provider 1.0'
select 'Key storage: In the file' (.pvk) like I have before?
select 'Key size: 2048'
Exportable 'ticked'
User protected 'unticked'

My usage is to sign exe's with signtool.

Thanks,
Lee.


You won't see those settings with Firefox.

You'll need to export the certificate as a .p12 file [ https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1221 ], then rename the file extension with .pfx because signtool complains otherwise.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek